Deployment Architecture

props.conf MAX DAYS AGO editing on indexer or forwarder?

Michael0
New Member

I have added a new host to log to the indexer.

But I just want the last 5 days to be indexed.

So I changed in props.conf file from the forwarder:

MAX DAYS AGO from default 2000 to 5.

Now, when I look at the indexer I can see logs back to Jan. 2014.

Also also changed the value on the indexer himself from MAX DAYS AGO from 2000 to 5, but I still get logfiles indexed which are older than 5 days.

Where I have to change this setting so it works correctly?

Thx

Tags (1)
0 Karma

vigneshnarendra
Explorer

You can use ignoreOlderThan = 5at Universal Forwarder to restrict indexing of logs older than 5 days.

0 Karma

linu1988
Champion

Hello Michael,
You need to put the configuration at indexer end rather than at forwarder. If you are not using a heavy forwarder the configuration is of no use at forwarder end which doesn't parse your raw data. So put the same setting in indexer which will work as you expect.

Thanks

0 Karma

Michael0
New Member

ok, so I just have to make a copy from $SPLUNK_HOME/etc/system/default/props.conf to $SPLUNK_HOME/etc/system/local/props.conf with the value:
[default]
MAX_DAYS_AGO=5

And it should work?

0 Karma

Michael0
New Member

I have not created any configs, I just changed the setting on the forwarder under: /opt/splunkforwarder/etc/system/default/props.conf from MAX_DAYS_AGO=2000 --> MAX_DAYS_AGO=5, then restarted the splunk service

0 Karma

lukejadamec
Super Champion

Can you post the inputs.conf stanza for this input, and any props.conf you've created for this input?

0 Karma

Michael0
New Member

Thank you Luke for your answer!
I´m working on a Linux system, where I have added /var/log as the path for syslogging, can you give me an example how my props.conf should be configured, when I just want to index the last 5 days ago?

0 Karma

lukejadamec
Super Champion

This should be set in props.conf in the source or sourcetype stanza for that source or sourcetype on the indexer in etc/system/local/.
This will only affect new events. Events that are already indexed will still be there.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...